Luigi Auriemma

Patch 1.5 for BF2 was released today. I did some testing to see if they fixed the fake player's DoS bug, and it looks like they made a pretty good attempt at it.

It seems that after your client sends the first UDP connect packet, the server will not respond to any more new connection packets from that same IP address for a short period of time (probably the time it takes an original fake player to time out). It will only reply to the original connection request. Though this isn't confirmed, it's just a guess from me running a packet sniffer while using the fake player tool (and also a custom version I wrote myself). I even tried running the fake player tool, and then connecting in the actual game, and the server times out (so it's temporarily blocking me until the first connection attempt times out). A few seconds after closing the fake player tool, I can get in again.

I would assume using spoofed IPs would still work (using udpsz with a random spoofed source address for example), but I'm going to do some additional testing to see what I come up with.

do you talk about patch 1.5 beta3?
anyway yes with spoofed packets the limitation can be bypassed because the protocol is challengeless and the slot is filled only with one packet.
have you tested also the -f option with the new patch to see if it's a real limitation and not a work-around?

The patch was officially released this morning (no longer in beta). I have done my tests on officially patched servers. I tried -f, and still nothing. I have also tried my custom tool which just spams the first packet and ignores replies (probably like your -f option) and nothing.

I tried udpsz with spoofed source address/port like so:

... and it worked just fine, obviously because of the spoofing.

Overall, my tests show the following:
- Same IP and Port for each packet: server ignores the IP
- Same IP and different Port for each packet: server ignores the IP
- Spoofed IP and port for each packet: works

Another thing I tried was spoofing my own IP from another machine that has it's own internet IP using UDPSZ... and I wasn't able to get in on the machine that really owns the IP. So with that: if you had a friend's IP, and you knew a server he really liked, you could block him from getting in by "pretending" to be him, and flooding the server. Let me add to that: if the player is ALREADY connected and playing, and you spam connect packets using his IP, he loses connection (along with anyone else using that same IP)! Not a huge deal since getting client IPs would be difficult (unless you were admin)... but pretty interesting nonetheless.

Also, players who share the same internet IP (college dorms/campuses, cyber cafes, wireless cafes) might have troubles connecting to the same server. I say "might" because I'm not sure how long the "IP ignoring" lasts when a user connects. It might be a few packets, and then the server will allow more connections from the same IP... but it might also be longer. So if you have 2 people connecting at the same time, from the same IP... one of them might see a timeout and have to try again. Though the game probably tries multiple times before timing out, so they may not see anything at all.

I plan on trying an additional test using 2 installed copies of BF2 to see if using the same IP on a server is even possible anymore. It probably is (Dice/EA would be stupid to block users from having the same IP)... but I want to play around with this just to be sure.

good that now the patch is no longer in beta stage, that makes my bf2loopfix no longer requires (and when also the patch for bf2142 will be officially released Francis could opt for the full disclosure of that vulnerability I patched).

and it's also good that they have definitely fixed the bug although having given no choice to the admin in the number of players from the same IP is bad, maybe it's a not-much-visible cvar or an option.

Small update: confirmed that multiple players with the same IP address CAN be on the same server at the same time. Though it's possible that they could see a problem if they connect around the exact same time.

or maybe the connection of the other players is allowed only when all the others from the same IP have fully joined the server so not time-based.
it's only an hypothesis, yes I know that I should verify it but I'm lazy now :)

I was able to have 2 players simultaneously connecting at the same time, from the same IP, so I think it's after a certain packet or event the server allows new connections from the same IP.

Overall, it's nice to see they actually did something about it. Only took them 3 years from their last patch :P

*EDIT senseless ot, probably a spambot*

Another quick note on the patch: gs_login_server still works fine, which means the orange/big names bug should also still work :P